{"id":1853,"date":"2025-04-10T10:21:31","date_gmt":"2025-04-10T14:21:31","guid":{"rendered":"https:\/\/www.peteonsoftware.com\/?p=1853"},"modified":"2025-04-10T10:21:31","modified_gmt":"2025-04-10T14:21:31","slug":"hack-the-box-walkthrough-dream-job-1","status":"publish","type":"post","link":"https:\/\/www.peteonsoftware.com\/index.php\/2025\/04\/10\/hack-the-box-walkthrough-dream-job-1\/","title":{"rendered":"Hack the Box Walkthrough: Dream Job-1"},"content":{"rendered":"

\"HackOur capture the flag walkthrough today is found over on Hack the Box (HTB). Instead of the offensive security walkthroughs that I’ve been doing, this one is more focused on defensive investigative skills. These classifications for these rooms at HTB are called “Sherlocks” and today’s room is a retired free one called Dream Job-1<\/a>. It focuses on researching a specific attack campaign, the attackers, and their tactics. Let’s get started.<\/p>\n

The first thing we have to do is download the attached zip file called DreamJob1.zip. They give you the password to extract it as hacktheblue<\/em>. Inside the zip is one file named IOCs.txt containing 3 lines of text. For now, we won’t need this file until Question 10.<\/p>\n

Task 1: Who Conducted Operation Dream Job?<\/strong><\/p>\n

So unlike TryHackMe, Hack the Box doesn’t really teach you how to do things. You either have to know how, have worked through some of their training elsewhere, have access to walkthroughs, or be good at searching. In this case, we’re going to go to the MITRE ATT&CK\u00ae homepage at https:\/\/attack.mitre.org\/<\/a>. Click on CTI then Campaigns. <\/p>\n

\"MITRE<\/p>\n

Scroll down until you get to C0022 Operation Dream Job or Ctrl-F and search for Operation Dream Job on the page.<\/p>\n

\"Operation<\/p>\n

Task 1 Answer: Lazarus Group<\/em><\/strong><\/p>\n

\n

Task 2: When was this operation first observed?<\/strong><\/p>\n

Click the name or ID of the campaign and it takes you here: https:\/\/attack.mitre.org\/campaigns\/C0022\/<\/a>. You can see in the Info Box on the right some quick info about this campaign, including when it was First Seen<\/em>.<\/p>\n

\"Operation<\/p>\n

Task 2 Answer: September 2019<\/em><\/strong><\/p>\n

\n

Task 3: There are 2 campaigns associated with Operation Dream Job. One is Operation North Star, what is the other?<\/strong><\/p>\n

Using the same image, we can see the Associated Campaigns<\/em>.<\/p>\n

Task 3 Answer: Operation Interception<\/em><\/strong><\/p>\n

\n

Task 4: During Operation Dream Job, there were the two system binaries used for proxy execution. One was Regsvr32, what was the other?<\/strong><\/p>\n

Scroll down or search for Binary Proxy Execution. You can see the two mentioned, the answer is the other one.
\n\"Operation<\/p>\n

Task 4 Answer: Rundll32<\/em><\/strong><\/p>\n

\n

Task 5: What lateral movement technique did the adversary use?<\/strong><\/p>\n

On the page, near the top, you can click into the ATT&CK\u00ae Navigator Layers dropdown and View.
\n\"Operation<\/p>\n

After you get to the layers, horizontally scroll right until you see Lateral Movement<\/em>. Click the header to have the column highlighted (can be a bit cramped and this helps to see).
\n\"Operation<\/p>\n

Task 5 Answer: Internal Spearphishing<\/em><\/strong><\/p>\n

\n

Task 6: What is the technique ID for the previous answer?<\/strong>
\nHover\/Click on that highlighted part and read the kick out.<\/p>\n

Task 6 Answer: T1534<\/em><\/strong><\/p>\n

\n

Task 7: What Remote Access Trojan did the Lazarus Group use in Operation Dream Job?<\/strong><\/p>\n

Go back to the Operation Dream Job Campaign Page<\/a>. Scroll down to Software.<\/p>\n

\"Operation<\/p>\n

Task 7 Answer: DRATzarus<\/em><\/strong><\/p>\n

\n

Task 8: What technique did the malware use for execution?<\/strong><\/p>\n

Click the Software Link for DRATzarus and go to https:\/\/attack.mitre.org\/software\/S0694\/<\/a><\/p>\n

Use the Navigator Layers dropdown like we did before and load up its Enterprise Layer<\/em> and go to Execution<\/em>. Native API<\/em> is highlighted.
\n\"DRATzarus<\/p>\n

Task 8 Answer: Native API<\/em><\/strong><\/p>\n

\n

Task 9: What technique did the malware use to avoid detection in a sandbox?<\/strong><\/p>\n

On the same page, under Discovery, there is a box called Virtualization\/Sandbox Evasion<\/em>. Its child box has the answer.
\n\"DRATzarus<\/p>\n

Task 9 Answer: Time Based Evasion<\/em><\/strong><\/p>\n

\n

Task 10: To answer the remaining questions, utilize VirusTotal and refer to the IOCs.txt file. What is the name associated with the first hash provided in the IOC file?<\/strong><\/p>\n

Looking in the file, the first hash is 7bb93be636b332d0a142ff11aedb5bf0ff56deabba3aa02520c85bd99258406f<\/em><\/p>\n

If we go to VirusTotal<\/a> and put in that hash, it takes us here<\/a><\/p>\n

\"Searching<\/p>\n

After you search, it takes you to the page and the answer is right in the header.<\/p>\n

\"First<\/p>\n

Task 10 Answer: IEXPLORE.EXE<\/em><\/strong><\/p>\n

\n

Task 11: When was the file associated with the second hash in the IOC first created?<\/strong><\/p>\n

Second hash from the file is adce894e3ce69c9822da57196707c7a15acee11319ccc963b84d83c23c3ea802<\/em>. If we search it, it takes us here<\/a>.<\/p>\n

Details -> History -> Creation Time <\/p>\n

\"The<\/p>\n

Task 11 Answer: 2020-05-12 19:26:17<\/em><\/strong><\/p>\n

\n

Task 12: What is the name of the parent execution file associated with the second hash in the IOC?<\/strong><\/p>\n

Same page, Relations -> Execution Parents <\/p>\n

\"The<\/p>\n

Task 12 Answer: BAE_HPC_SE.iso<\/em><\/strong><\/p>\n

\n

Task 13: Examine the third hash provided. What is the file name likely used in the campaign that aligns with the adversary’s known tactics?<\/strong><\/p>\n

Third hash from the file is 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1<\/em>. If we search it, it takes us here<\/a>.<\/p>\n

Go to Details -> Names<\/p>\n

Remember that according to the task, the victims of this were job seekers and that they used “fake job lures”, so…<\/p>\n

\"The<\/p>\n

Task 13 Answer: Salary_Lockheed_Martin_job_opportunities_confidential.doc<\/em><\/strong><\/p>\n

\n

Task 14: Which URL was contacted on 2022-08-03 by the file associated with the third hash in the IOC file?<\/strong><\/p>\n

Relations -> Contacted URLs, look for Scanned = 2022-08-03<\/p>\n

\"The<\/p>\n

Task 14 Answer: https:\/\/markettrendingcenter.com\/lk_job_oppor.docx<\/em><\/strong><\/p>\n

\n

That’s it. I hope you enjoyed this little Blue Team exercise in researching some details of an attack from some artifacts!<\/p>\n","protected":false},"excerpt":{"rendered":"

Our capture the flag walkthrough today is found over on Hack the Box (HTB). Instead of the offensive security walkthroughs that I’ve been doing, this one is more focused on defensive investigative skills. These classifications …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[153],"tags":[141,142],"class_list":["post-1853","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","tag-information-security","tag-infosec"],"_links":{"self":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1853","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/comments?post=1853"}],"version-history":[{"count":0,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1853\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/media?parent=1853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/categories?post=1853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/tags?post=1853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}